Page 13 - index
P. 13
Risk Acceptance Is A Key Factor To Next-Gen Security Strategies
Letting Reality, Not Perception, Drive Measurable Change
by Irena Mroz, SVP Marketing, Cryptzone
The continued prevalence of high profile security breaches remind us that today’s public and
private sector practices are not working.
Is access to technology to blame?
As we race to purchase the latest device and increase technology savvy, we rarely think about the
malicious user who now has access to the same increased capabilities. With a computer, anyone
anywhere can be a hacker.
Does that sound glamorous to the younger, idealist generation, or even the older, less in-demand
veteran? The fact is, technology is user-agnostic: it doesn’t care whether it’s being used for good or
evil.
Risk acceptance is part of our changing world.
It’s human nature to avoid acknowledging risk and deal with it head-on, but the damage that can
result from a security breach can no longer be ignored. Furthermore, everyone needs to be
accountable.
Consumers shouldn’t assume their data is being protected. Companies must take whatever
precautions necessary to thwart an internal/external invasion.
People have too much access to information, most of which they don’t need.
Assigning user access permissions, identifying a company’s critical data and enacting monitoring
tools are steps in the right direction to establishing successful security practices.
I recently met with a security guru from the government sector who suggested the following
approach: strip every employee of access to everything and make them lobby for only the data they
need to effectively do their job, and grant monitored access from there.
It sounds extreme, but makes sense. If you know who has access to what information, why they
have access, when they should access it and for how long, you can accurately track normal
behavioral patterns and anomalies.
It’s not just about protection and detection, but ongoing security management.
Securing data is an endless loop of establishing controls, testing/monitoring, evaluating success
and making adjustments. Institute defense in depth layers.
Encrypt sensitive or regulated data. Patch all systems, workstations, servers, endpoints, etc.
throughout the supply chain, and keep them current with updates and baseline standards.
13 Cyber Warnings E-Magazine – September 2015 Edition
Copyright © Cyber Defense Magazine, All rights reserved worldwide
